클라우드컴퓨팅 제1과제 공개문제.pdf
https://github.com/learn-wlstmd/EKS-2024-Jibang
`Web Service Provisioning`
1. VPC Create
2. Security Group Create
3. IAM Role.. Create
4. scp 배포 자료 업로드
5. EC2 Instance Create
6. Elastic Cache Create (sg checking, port change)
7. Amazon DocumentDB Create (sg checking, port change)
8. Secret Manager
9. Cluster apply
10. eksctl setting
11. manifest deploy
12. Secret Manager Checking
13. Token Endpoint Upload
14. Ingress apply
15. alb Request Checking
16. 조건 체크
#!/bin/bash
public_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-public-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
public_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-public-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
private_a=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-private-subnet-a" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
private_b=$(aws ec2 describe-subnets --filters "Name=tag:Name,Values=skills-private-subnet-b" --query "Subnets[].SubnetId[]" --region ap-northeast-2 --output text)
sed -i "s|public_a|$public_a|g" cluster.yaml
sed -i "s|public_b|$public_b|g" cluster.yaml
sed -i "s|private_a|$private_a|g" cluster.yaml
sed -i "s|private_b|$private_b|g" cluster.yaml
REGION_CORD="ap-northeast-2"
CLUSTER_NAME="skills-eks-cluster"
# IAM OIDC 제공자 연결
eksctl utils associate-iam-oidc-provider --region=ap-northeast-2 --cluster=skills-eks-cluster --approve
# IAM 정책 생성
cat >secret-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource": ["*"]
}
]
}
EOF
# IAM 서비스 계정 생성
POLICY_ARN=$(aws --region "$REGION_CORD" --query Policy.Arn --output text iam create-policy --policy-name secretsmanager-policy --policy-document file://secret-policy.json)
eksctl create iamserviceaccount \\
--name external-secrets-cert-controller \\
--region="$REGION_CORD" \\
--cluster "$CLUSTER_NAME" \\
--namespace=skills \\
--attach-policy-arn "$POLICY_ARN" \\
--override-existing-serviceaccounts \\
--approve
# Helm 저장소 추가 및 업데이트
helm repo add external-secrets <https://charts.external-secrets.io>
# 서비스 계정에 주석 및 라벨 추가
kubectl annotate serviceaccount external-secrets-cert-controller \\
meta.helm.sh/release-name=external-secrets \\
meta.helm.sh/release-namespace=skills \\
-n skills \\
--overwrite
kubectl label serviceaccount external-secrets-cert-controller \\
app.kubernetes.io/managed-by=Helm \\
-n skills \\
--overwrite
# values.yaml 파일 생성
cat > values.yaml <<EOF
{
"installCRDs": true,
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
},
"webhook": {
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
}
},
"certController": {
"nodeSelector": {
"eks.amazonaws.com/nodegroup": "skills-eks-addon-nodegroup"
}
}
}
EOF
# External Secrets 설치
helm install external-secrets \\
external-secrets/external-secrets \\
-n kube-system \\
-f values.yaml \\
--set serviceAccount.create=false
cat <<\\EOF> secretstore.yaml
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: aws-secrets
namespace: skills
spec:
provider:
aws:
service: SecretsManager
region: ap-northeast-2
auth:
jwt:
serviceAccountRef:
name: external-secrets-cert-controller
EOF
kubectl apply -f secretstore.yaml
cat <<\\EOF> token.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: token
namespace: skills
spec:
refreshInterval: 30s
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: token
creationPolicy: Owner
data:
- secretKey: REDIS_HOST
remoteRef:
key: redis/credentials
property: host
- secretKey: REDIS_PORT
remoteRef:
key: redis/credentials
property: port
EOF
kubectl apply -f token.yaml
cat <<\\EOF> user.yaml
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: user
namespace: skills
spec:
refreshInterval: 30s
secretStoreRef:
name: aws-secrets
kind: SecretStore
target:
name: user
creationPolicy: Owner
data:
- secretKey: MONGODB_USERNAME
remoteRef:
key: mongodb/credentials
property: username
- secretKey: MONGODB_PASSWORD
remoteRef:
key: mongodb/credentials
property: password
- secretKey: MONGODB_HOST
remoteRef:
key: mongodb/credentials
property: host
- secretKey: MONGODB_PORT
remoteRef:
key: mongodb/credentials
property: port
- secretKey: AWS_REGION
remoteRef:
key: mongodb/credentials
property: region
- secretKey: AWS_SECRET_NAME
remoteRef:
key: mongodb/credentials
property: secret_name
- secretKey: TOKEN_ENDPOINT
remoteRef:
key: mongodb/credentials
property: token_endpoint
EOF
kubectl apply -f user.yaml
# secret manager 값 확인
aws secretsmanager get-secret-value --secret-id mongodb/credentials --query SecretString --output text
aws secretsmanager get-secret-value --secret-id redis/credentials --query SecretString --output text
# 노드 그룹에 Secret 권한 부여
aws iam attach-role-policy --role-name eksctl-skills-eks-cluster-nodegrou-NodeInstanceRole-l7cHr1FkGb7N --policy-arn arn:aws:iam::362708816803:policy/secretsmanager-policy
Cluster.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: skills-eks-cluster
region: ap-northeast-2
version: "1.29"
secretsEncryption:
keyARN: kms_arn
cloudWatch:
clusterLogging:
enableTypes: ["*"]
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: aws-load-balancer-controller
namespace: kube-system
wellKnownPolicies:
awsLoadBalancerController: true
- metadata:
name: cert-manager
namespace: cert-manager
wellKnownPolicies:
certManager: true
vpc:
securityGroup: sg_id # https 통신
subnets:
public:
ap-northeast-2a: { id: public_a }
ap-northeast-2b: { id: public_b }
private:
ap-northeast-2a: { id: private_a }
ap-northeast-2b: { id: private_a }
clusterEndpoints:
publicAccess: false
privateAccess: true
managedNodeGroups:
- name: skills-eks-app-nodegroup
instanceName: skills-eks-app-node
instanceType: t4g.large
desiredCapacity: 2
minSize: 2
maxSize: 10
- name: skills-eks-addon-nodegroup
instanceName: skills-eks-addon-node
instanceType: m6.large
desiredCapacity: 2
minSize: 2
maxSize: 10
fargateProfiles:
- name: skills-eks-app-profile
selectors:
- namespace: skills
labels:
app: token
솔루션
# k8s
TOKEN_ENDPOINT Cluster IP
addon 노드그룹 처리
# Secret
External Secret
# ElasticCache
TLS 전송 중 암호화 활성화 하기
클러스터 모드 활성화 하기
3-4 profiler
4-5 1개만 뜸
5-4 MUTABLE 뜸
6-1 부분 다 틀림
8-2 0.5vCPU 1GB가 출력안됨 (0.25vCPU 0.5GB)
9-1, 9-2 An error occurred (ResourceNotFoundException) when calling the FilterLogEvents operation: The specified log group does not exist.
10-1, 10-3 Pod 안늘어남.
60점 / 46.5점